Thanks For Downloading!

Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows:

Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into %PROGRAMFILES%\Splunk\etc\apps. Then restart Splunk using the splunk restart command or the GUI.

Unix/Linux: Decompress the downloaded file using a tool like tar -xvf and place the resulting folder into $SPLUNK_HOME/etc/apps. Then restart Splunk using the splunk restart command or the GUI.

The Azure Diagnostics Splunk App includes a custom input script to import Microsoft Azure Diagnostics into Splunk, two dashboard and searches.

==========================================
Azure Diagnostics Splunk App Documentation
==========================================

Author: Michel Chamberland (<http://www.securitywire.com>) <merc@securitywire.com>

Description:

The Azure Diagnostics Splunk App includes a custom input script to import Microsoft
Azure Diagnostics into Splunk, two dashboard and searches.

Requirements:

You need to have configured your Windows Azure Application to use Azure Diagnostics
and store its logs into a Windows Azure storage account (more information on this
can be found at the Microsoft MSDN web site). To configure this Splunk App, you will
need the storage account name and one of the access keys used for authentication.
This information can be found on the Azure Portal at <https://windows.azure.com>.
Currently, this app is able to download and display the following items:

- Windows Events
- Performance Counters
- Trace Logs
- Infrastructure Logs
- Directories Table

Installation:

- Install the app from splunkbase
- The first time the app runs, a setup screen will be presented, you will need to
enter the following:
1. "Storage Account" (enter the azure storage account name here)
2. "Azure Storage Key" (Enter one of the two azure storage key here)
3. "Confirm Password" Re-enter the same storage key from the previous step
to confirm
4. Click the save button
5. Go to Manager -> Data Input -> Scripts
- On Windows: Enable the azurepoll.py script with backslashes (\)
in its path
- On Linux, OS X, Unix: Enable the azurepoll.py script with
slashes (/) in its path

Future Enhancements:

- Download IIS Logs from azure blobs
- Groom Azure Storage Account Diagnostics Data (Option to delete data that has been
transfered to Splunk from the azure storage account)

Feedback:

If there is anything you would like to see in this app, please let me know!

Michel Chamberland
<http://www.securitywire.com>
C|EH, CCNA, CCNA Security, Security+, Network+, A+, Project+, MCTS, MCP, CIW Pro
merc@securitywire.com

Credits:

Thanks to Sriram Krishnan and Steve Marx at Microsoft for their Python wrapper around
Windows Azure storage on which this Splunk App builds upon.